7MS #532: Tales of Pentest Pwnage - Part 39
7 Minute Security5 Aug 2022

7MS #532: Tales of Pentest Pwnage - Part 39

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this:

If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/

A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so:

gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache

Then in most tools you can pass the cred by doing something like:

crackmapexec smb DC01 -k

In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage!

I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance.

Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

Episoder(683)

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

This is a follow-up to episode #64, in which I did some fun wireless sniffing and tried to find sensitive data within it! In the episode I talk about the network “map” of my sniffing setup. It looks like this: Ethernet from client->upstream port of hub My laptop with Wireshark->Hub Wifi access point->Hub To find…

9 Jun 20157min

7MS #66: I’m Excited to Go Phishing – Part 2 (audio)

7MS #66: I’m Excited to Go Phishing – Part 2 (audio)

This is a follow-up to episode #63, discussing the results of a fun phishing campaign I recently completed. 7MS #66: I’m Excited to Go Phishing – Part 2 (audio)

4 Jun 20158min

7MS #65: OFFTOPIC-Still Alice (audio)

7MS #65: OFFTOPIC-Still Alice (audio)

Warning, this episode is off topic and has NOTHING to do with infosec! Nope! Instead, it’s a review of the movie Still Alice. Yep. That happened. 7MS #65: OFFTOPIC-Still Alice (audio)

3 Jun 20157min

7MS #64: Wifi Sniffing is Fun-Part 1 (audio)

7MS #64: Wifi Sniffing is Fun-Part 1 (audio)

I got a fun project involving wireless sniffing, followed up by scraping through packets looking for credit card data! Here’s part 1, which talks about about software/hardware you might need to do this the right way. 7MS #64: Wifi Sniffing is Fun-Part 1 (audio)

28 Mai 20157min

7MS #63: I’m Excited to Go Phishing (audio)

7MS #63: I’m Excited to Go Phishing (audio)

This week I’ll be launching a phishing campaign against an organization that has been well trained to defend against such malicious attacks and links! Will this organization break my company’s 100% success rate for phishing, or will I be able to craft an email to fool at least one person? 7MS #63: I’m Excited to…

21 Mai 20157min

7MS #62: You Should Run LAPS (audio)

7MS #62: You Should Run LAPS (audio)

I’m excited about this! Microsoft has released a tool called Local Administrator Password Solution to help administrators manage local admin credentials for domain-joined machines. Check out this article for more information, and please contact me if you end up running this, as I’d love to hear about your experience. 7MS #62: You Should Run LAPS…

19 Mai 20157min

7MS #61: Why Local Admin Rights Suck (audio)

7MS #61: Why Local Admin Rights Suck (audio)

Users running as local admins on their machine are a big risk! This episode discusses some reasons why, and also here is the link to the Avecto study I mention regarding how many Microsoft vulnerabilities would be thwarted by removing admin rights. 7MS #61: Why Local Admin Rights Suck (audio)

14 Mai 20158min

7MS #60: How Not to Suck at Customer Service (audio)

7MS #60: How Not to Suck at Customer Service (audio)

This episode was inspired by two awesome customer service experiences I had in the past week. It got me thinking: how can we as infosec professionals suck less with our customer service approach? 7MS #60: How Not to Suck at Customer Service (audio)

12 Mai 20158min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
forklart
stopp-verden
popradet
nokon-ma-ga
dine-penger-pengeradet
det-store-bildet
fotballpodden-2
unitedno
aftenbla-bla
e24-podden
rss-ness
rss-penger-polser-og-politikk
rss-fredrik-og-zahid-loser-ingenting
oppdatert
rss-borsmorgen-okonominyhetene
bt-dokumentar-2
chit-chat-med-helle